Scribd
Upload
10 views32 pages

CyberArk Cloud Deployment Troubleshooting Guide

Uploaded by

nohex76700
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views32 pages

CyberArk Cloud Deployment Troubleshooting Guide

Uploaded by

nohex76700
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CyberArk Cloud Solution

Deployment &
Administration
Troubleshooting

© 2023 CyberArk Software Ltd. All rights reserved


© Copyright 1999-2024 CyberArk Software. All rights reserved. No portion of this
publication may be reproduced in any form or by any means without the express written
consent of CyberArk Software. CyberArk®, the CyberArk logo and other trade or service
names appearing above are registered trademarks (or trademarks) of CyberArk Software
in the U.S. and other jurisdictions. Any other trade and service names are the property of
their respective owners.

CyberArk believes the information in this document is accurate as of its publication date.
The information is provided without any express, statutory, or implied warranties and is
subject to change without notice.

© 2024 CyberArk Software Ltd. All rights reserved


Upon completion of this lesson, the participant
will be able to:

1. Restoring Credential Files

Agenda 2. Troubleshooting for:


• CPM

• SIA

• PSM

• HTML5 Gateway

© 2024 CyberArk Software Ltd. All rights reserved


Components Authentication Issues
• As we discussed in a previous
lesson, the credentials for the
Connector Server
component services on the
Connector server must match
Connector1/******
the credentials stored on the
Vault

• After the component successfully


authenticates, the Vault and Cred File
CredFile secret is rotated

• This way, the Vault keeps these


credentials in sync and secure

© 2024 CyberArk Software Ltd. All rights reserved


Restoring Credential After Failure
Restoring components connectivity
• Components may sometimes be disconnected from Privilege Cloud Connectivity Status = Disconnected
• You can see this in the System Health tab

Network issues Synch issues


The most • First check your network. • The component is no longer able to
common • If there are no issues, check authenticate to Privilege Cloud
reasons: for sync issues. • In this case, you can restore connectivity
for the relevant component.

© 2024 CyberArk Software Ltd. All rights reserved


Restoring Credential After Failure
The CreateCredFile-Helper tool
• Downloaded from the Marketplace, it simply recreates the Credential File for:
⎼ CPM
⎼ PSM
⎼ PSMP
⎼ CP
⎼ CCP
• CreateCredFile-Helper relies on the InstallerUser to generate a new secret in the Vault,
then, stop the service on the connector, create a new credential file, then restart the
service.
• Since version 14.2, it also recreate the ApiKeyFile, used for RestAPI communication.

Please check the Lab Guide for more details or the video below

© 2024 CyberArk Software Ltd. All rights reserved


© 2024 CyberArk Software Ltd. All rights reserved
CPM Troubleshooting

© 2024 CyberArk Software Ltd. All rights reserved


Target Windows
Accounts
Understanding the problem:
• Verify / Change / Reconcile
• API and net use command
• Alternative plugins: WMI plugin /
PowerShell plugin

Suggested Troubleshooting:

• Check Windows Event Viewer


• Check for “outstanding” Local
Security Settings
• Run net use manually from the
Connector server to verify the
connection
© 2024 CyberArk Software Ltd. All rights reserved
Target UNIX
Accounts
Understanding the problem:
• Which operations are affected:
Verify / Change / Reconcile / All

Suggested Troubleshooting:

• Prompts and Process files


⎼ Add a basic prompt
• Disable DEP
(troubleshooting only) Syntax:
• Add exceptions for DEP on the C:\Program Files (x86)\CyberArk\Password
Connector server Manager\bin\[Link] <target IP address> -ssh -P <port>

• Running plink manually

© 2024 CyberArk Software Ltd. All rights reserved


Add Prompts on Connector Server
• In some cases, the CPM may encounter unknown prompts on different UNIX based machines.
• In such cases, you will need to add the custom prompt to the relevant prompts files.

(e.g.) C:\Program Files (x86)\CyberArk\Password Manager\bin\[Link]

© 2024 CyberArk Software Ltd. All rights reserved


CPM Password Change Failure - Frequency

After initiating a password change and a few


minutes, a warning icon appears on the account.

After checking the error, the vault admin sees a note


about the password policy and a winRC code.
From there, he can consult the Knowledge Base with
the specific code winRc=2245.

© 2024 CyberArk Software Ltd. All rights reserved


CPM Password Change Failure - Frequency

Searching for the code, several


articles will be displayed

Select the most relevant and


check the Cause and
Resolution section for a fix

© 2024 CyberArk Software Ltd. All rights reserved


CPM Password Change Failure - Frequency

Here we have to change the


Minimum password age to 0
days in order to not prevent
the CPM from working with
One Time Password for
example
Always make sure the platform
password settings are at least
as strict as the one on the
target system

© 2024 CyberArk Software Ltd. All rights reserved


SIA Troubleshooting

© 2024 CyberArk Software Ltd. All rights reserved


SIA Connection Issues and Latency

© 2024 CyberArk Software Ltd. All rights reserved


SIA Session diagnostics

© 2024 CyberArk Software Ltd. All rights reserved


PSM Troubleshooting

© 2024 CyberArk Software Ltd. All rights reserved


PSM-RDP
Connection Understanding the problem:

Troubleshooting • At what stage does the problem occur?


(Cloud Portal / Connector / Target)

• One account? Multiple accounts? Same


type?

• Which connection type is being used? RDP


file / RemoteApp

• If there are multiple Connector Servers with


the PSM role?

• Are they load-balanced?

© 2024 CyberArk Software Ltd. All rights reserved


PSM Shadow Users
• Shadow Users are created by
the PSM upon first connection.
• They are only used for
RemoteApp
• They store application local
settings and isolate the users’
data
• Troubleshoot problems related
to Shadow Users by:
⎼ Deleting the shadow user (which
will allow the PSM to recreate the
user)
⎼ Resetting the password to test
the account

© 2024 CyberArk Software Ltd. All rights reserved


Adjust AppLocker
• The PSM uses the Windows
AppLocker feature which defines
a set of rules that allow or deny
applications from running on the
PSM machine.
• When adding a new component,
you must also adjust AppLocker
by:
• Adding an exception to
[Link]
⎼ Uncomment the line relating to the
new component
• Running the
PSMConfigureApplocker.ps1
script
© 2024 CyberArk Software Ltd. All rights reserved
Disable AppLocker
You can also disable AppLocker
entirely (for isolating the problem
only) using the MMC snap-ins:
1. On the Start screen,
type [Link] or [Link]
2. Go to Computer Configuration →
Windows Settings → Security
Settings → Application Control
Policies → AppLocker
3. Click on Configure rule enforcement
and set Executable Rules to Audit
Only
4. Turn Enforce rules back on after
testing

© 2024 CyberArk Software Ltd. All rights reserved


PSM Error Example

© 2024 CyberArk Software Ltd. All rights reserved


PSM Connection Could Not be Established Securely

© 2024 CyberArk Software Ltd. All rights reserved


PSM Connection Could
Not be Established
Securely
• When we search for a KB article
with this error message, we can
find the following
• It suggests checking to see if the
PSMConnect user was in the
remote desktop group of the
Connector server

© 2024 CyberArk Software Ltd. All rights reserved


PSM Connection Could
Not be Established
Securely
• Following guidance, we connect to
the Connector and check the RDP
user list
• In this case, the PSMConnect user
was already added

© 2024 CyberArk Software Ltd. All rights reserved


PSM Connection Could
Not be Established
Securely
• Checking another article, we can
find one with multiple solutions
• From there, we can check them
one at a time

© 2024 CyberArk Software Ltd. All rights reserved


PSM Connection Could
Not be Established
Securely
• After confirming there was no
issue with the PSMConnect user
account the next step was to
check the PSM service
• After verification, the CyberArk
Privileged Session Manager
service was found stopped, as
mentioned in item number 4. After restarting the service and
checking there was no error in the
PSM logs, we can close this issue

© 2024 CyberArk Software Ltd. All rights reserved


HTML5 Gateway Connection Issues

© 2024 CyberArk Software Ltd. All rights reserved


• Try searching on important phrases

Summary • Persistence is important

• Problems have many layers

© 2024 CyberArk Software Ltd. All rights reserved


Lab Time
Please start your lab now and consult the
following section of the Lab Guide:

CPC D&A - Part E - Troubleshooting


• Troubleshooting

© 2024 CyberArk Software Ltd. All rights reserved


Thank you very much
for your participation!

© 2024 CyberArk Software Ltd. All rights reserved

You might also like